Vin protection
Posted: 02 Jan 2020, 17:45
Has any one figured out how m0tral got the whole vin into 4 bytes
MicroHacker Forum
Online community for electronics and microcontroller reverse engineering
https://microhacker.denkdose.de/
Vin protection
Page 1 of 6
Re: Vin protection
Posted: 02 Jan 2020, 20:22
Hash?!
Re: Vin protection
Posted: 02 Jan 2020, 20:51
I have tried many combinations and cannot get the same outcome it's no use but I'm interested how hes done it
Re: Vin protection
Posted: 02 Jan 2020, 22:13
Well, then disassemble the routine handling the data you found and you know.
Re: Vin protection
Posted: 03 Jan 2020, 07:37
Its not al VIN....just combination of year of production and last VIN digits
Re: Vin protection
Posted: 03 Jan 2020, 13:28
Re: Vin protection
Posted: 06 Jan 2020, 18:55
For m0tral firmwares you need only calculate 2 bytes from the VIN, and need to patch this 2 bytes in 2 different locations (it checks twice the VIN)
Check out the following small C code:
But it's much esier to patch the 2 conditional jumps instead of calcating and patching these bytes....
Check out the following small C code:
Code: Select all
#include <stdio.h>
typedef unsigned long DWORD;
typedef unsigned short WORD;
#define LOWORD(a) ((WORD)(a))
#define HIWORD(a) ((WORD)(((DWORD)(a) >> 16) & 0xFFFF))
int calc(unsigned int a1, char a2)
{
return (a1 << (32 - a2)) | (a1 >> a2);
}
int main() {
char VIN[] = "WF0EXXGXXY8X12345";
int x =0, i;
for (i=0; i<17; i++)
x+=calc(VIN[i],i+1);
unsigned char x1 = (HIWORD(x)+x) & 0xff;
unsigned char x2 = ((HIWORD(x)+x) >> 0x08) & 0xff;
printf("0xd59f6: %08X\n", x1);
printf("0xd59EE: %08X\n", x2);
printf("0xd5b48: %08X\n", x1);
printf("0xd5b40: %08X\n", x2);
};
Re: Vin protection
Posted: 07 Jan 2020, 06:17
Agreed, by removing the jumps the firmware get's universal useable. But please don't post this on the forum as it will only raise up registration requests 
But good to know how the protection works, algos are always highly welcome!
Did you manage to find those jumps? Never looked into a modified FW, currently disassembling the genuine FW.
But good to know how the protection works, algos are always highly welcome!
Did you manage to find those jumps? Never looked into a modified FW, currently disassembling the genuine FW.
Re: Vin protection
Posted: 07 Jan 2020, 08:51
Yes I identified the jumps.
And I also created 2 tools to deals with the protected firmwares.
One is a simple program written in C to patch the jumps directly in the VBF file (and of course it recalculate the checksums also).
Other tool is a simple webpage in PHP. There is an input field to upload the ZIP file containing the MondeoElmLoader.exe (package received from m0tral).
The tool will be extract the VBF from the exe and it will patch the jumps and repack it into the exe file. So finally you will receive the MondeElmLoader.exe including the unprotected VBF file. Of course you need to have valid license file for the MondeElmLoader.exe, but this is other story...
And I also created 2 tools to deals with the protected firmwares.
One is a simple program written in C to patch the jumps directly in the VBF file (and of course it recalculate the checksums also).
Other tool is a simple webpage in PHP. There is an input field to upload the ZIP file containing the MondeoElmLoader.exe (package received from m0tral).
The tool will be extract the VBF from the exe and it will patch the jumps and repack it into the exe file. So finally you will receive the MondeElmLoader.exe including the unprotected VBF file. Of course you need to have valid license file for the MondeElmLoader.exe, but this is other story...
Re: Vin protection
Posted: 07 Jan 2020, 14:06
There is a slight variation between the different motors SMAX GALAXY and MOND
WFOS
WFOE
WF0G
WFOS
WFOE
WF0G